[Openid-specs-ab] end_session endpoint parameter specs

Todd W Lainhart lainhart at us.ibm.com
Mon Jan 20 15:04:46 UTC 2014 

Hi Torsten -

> We see the need to trigger a logout from pages, which did not previously 
process a login (portal, landing page).

Would your page have a client_id available?  It's a requirement that the 
provided post_logout_uri be registered.  I was trying to intuit how that 
would be done given the current param spec, in which the client_id was 
only available (perhaps) as the "aud" field of the id_token.





Todd Lainhart
Rational software
IBM Corporation
550 King Street, Littleton, MA 01460-1250
1-978-899-4705
2-276-4705 (T/L)
lainhart at us.ibm.com




From:   Torsten Lodderstedt <torsten at lodderstedt.net>
To:     Todd W Lainhart/Lexington/IBM at IBMUS, 
Cc:     "openid-specs-ab at lists.openid.net" 
<openid-specs-ab at lists.openid.net>
Date:   01/18/2014 03:44 AM
Subject:        Re: [Openid-specs-ab] end_session endpoint parameter specs



Hi Todd,

I think your proposal to make the id token hint required if the post 
logout uri is present limits applicability of the logout mechanism. We see 
the need to trigger a logout from pages, which did not previously process 
a login (portal, landing page). This would be impossible.

General note: I think the security consideration section must discuss open 
redirection at the end session endpoint. I assume registration of post 
logout uri serves the purpose of preventing this threat but this is not 
documented.

regards,
Torsten.

Am 17.01.2014 um 22:45 schrieb Todd W Lainhart <lainhart at us.ibm.com>:

Last week I filed: 

https://bitbucket.org/openid/connect/issue/914/session-5-missing-client_id-parameter 


...where I stated that a required client_id parm was missing that allowed 
for the verification of the post_logout_uri value.  I've implemented this 
endpoint, and I think that I see that this parm may not be necessary. 

Section 5 of the session mgmt. spec says this: 

//=========== 
This specification also defines the following parameters that are passed 
as query parameters in the logout request: 
id_token_hint 
RECOMMENDED. Previously issued ID Token passed to the logout endpoint as a 
hint about the End-User's current authenticated session with the Client. 
This is used as an indication of the identity of the End-User that the RP 
is requesting be logged out by the OP. The OP need not be listed as an 
audience of the ID Token when it is used as an id_token_hint value. 
post_logout_redirect_uri 
OPTIONAL. URL to which the RP is requesting that the End-User's User Agent 
be redirected after a logout has been performed. The value MUST have been 
previously registered with the OP, either using the 
post_logout_redirect_uris Registration parameter or via another mechanism. 
If supplied, the OP SHOULD honor this request following the logout. 


//=========== 

I would reword these definitions to say something along the following 
lines: 

post_logout_redirect_uri  OPTIONAL.  The URL to which the RP is requesting 
that the End-User's User Agent be redirected to after the logout has been 
performed.  The value MUST have been previously registered with the OP, 
either using the post_logout_redirect_uris Registration parameter or via 
another mechanism.  If supplied, id_token_hint MUST be specified. 

id_token_hint REQUIRED if "post_logout_redirect_uri" is specified, 
otherwise RECOMMENDED.  The previously issued ID Token passed to the 
logout endpoint as a hint about the End-User's current authenticated 
session with the Client. This is used as an indication of the identity of 
the End-User that the RP is requesting be logged out by the OP. If 
"post_logout_redirect_uri" is specified, then the "aud" member of this 
token MUST be a single element, and MUST be the client_id to which the 
specified "post_logout_redirect_uri" is registered. 

Additionally, a decision should be made as to whether a state parameter 
should be included that can be round-tripped via the 
post_logout_redirect_uri.  Either that, or the value of the id_token_hint 
parm is returned via the post_logout_redirect_uri redirect. 

The implication of this is that the end_session_endpoint can be called 
with no parameters, an id_token_hint, or both id_token_hint and 
post_logout_redirect_uri. 







Todd Lainhart
Rational software
IBM Corporation
550 King Street, Littleton, MA 01460-1250
1-978-899-4705
2-276-4705 (T/L)
lainhart at us.ibm.com

_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140120/fe686300/attachment.html>

More information about the Openid-specs-ab mailing list